Matt Hand matterpreter
matterpreter
/ CyrillicSwap.cs
Created
April 21, 2020 13:35
Swap Latin characters to Cyrillic lookalikes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static void CyrillicSwap(string latinString) | |
| { | |
| Console.OutputEncoding = Encoding.UTF8; | |
| Dictionary<string, string> CyrDict = new Dictionary<string, string>() | |
| { | |
| {"a", "а"}, // \u0430 | |
| {"c", "с"}, // \u0441 | |
| {"e", "е"}, // \u0435 | |
| {"o", "о"}, // \u043e | |
| {"p", "р"}, // \u0440 |
matterpreter
/ NtMonitor.py
Last active
December 4, 2024 01:38
Frida script to spawn a process and monitor Native API calls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import frida | |
| import sys | |
| def on_message(message, data): | |
| if message['type'] == 'send': | |
| print(message['payload']) | |
| elif message['type'] == 'error': | |
| print(message['stack']) | |
| else: | |
| print(message) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lkd> dt -b nt!_EPROCESS | |
| +0x000 Pcb : _KPROCESS | |
| +0x000 Header : _DISPATCHER_HEADER | |
| +0x000 Lock : Int4B | |
| +0x000 LockNV : Int4B | |
| +0x000 Type : UChar | |
| +0x001 Signalling : UChar | |
| +0x002 Size : UChar | |
| +0x003 Reserved1 : UChar | |
| +0x000 TimerType : UChar |
matterpreter
/ CallTreeToJSON.py
Last active
February 4, 2025 14:25
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #@author matterpreter | |
| #@category | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| ### | |
| # To import to Neo4j: | |
| # CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE | |
| # |
matterpreter
/ FindTargetImports.cs
Last active
November 28, 2022 04:43
Search all PE files in a directory for ones which import a specific DLL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Concurrent; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Threading.Tasks; | |
| using PeNet; | |
| using PeNet.Header.Pe; |
matterpreter
/ RpcParser.java
Last active
March 9, 2022 00:21
Ghidra RPC procedure identification script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Locate RPC procecures inside of server code | |
| //@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h) | |
| //@category Functions | |
| //@keybinding | |
| //@menupath | |
| //@toolbar | |
| import ghidra.app.script.GhidraScript; | |
| import ghidra.program.model.block.*; | |
| import ghidra.program.model.symbol.*; |
matterpreter
/ Count-PInvokes.ipynb
Created
February 24, 2022 20:17
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Instantiate the object | |
| $clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}' | |
| $obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid)) | |
| # Get the address of the IUnknown vtable | |
| Add-Type -AssemblyName 'System.Runtime.InteropServices' | |
| $iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj) | |
| $vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk) | |
| # Locate the in-proc server and get it's base address |
OlderNewer